National Cyber Security Awareness Month. Week Two: Creating a Culture of Cybersecurity at Work

Transcription

1 National Cyber Security Awareness Month Week Two: Creating a Culture of Cybersecurity at Work

2 Webinar Recording and Evaluation Survey This webinar is being recorded and will be made available online to view later o Recording will also be available at After the webinar, you will receive a notice asking you to complete a webinar evaluation survey. Thank you in advance for completing the webinar evaluation survey. Your feedback is important to us.

3 Tips for viewing this webinar: The questions box and buttons are on the right side of the webinar window. This box can collapse so that you can better view the presentation. To unhide the box, click the arrows on the top left corner of the panel. If you are having technical difficulties, please send us a message via the questions box on your right. Our organizer will reply to you privately and help resolve the issue.

4 Today s Speakers Mr. Ralph Johnson Chief Information Security and Privacy Officer King County, Wash. Mr. Peter Romness Cycbersecurity Business Developmen Manager Cisco Systems, Inc. Ben Scribner Cyber Education and Awareness, U.S. Department of Homeland Security

5 National Association of Counties (NACo) National Cyber Security Awareness Month Webinar October 7, 2015

6 Chief Information Security and Privacy Officer King County Washington Adjunct Instructor ITT Technical Institute, Seattle Past Governance Board President Holistic Information Security Practitioner Institute (HISPI) Member MS-ISAC Executive Committee Member MS-ISAC Trusted Purchasing Alliance Product Review Board Member MS-ISAC Education and Awareness Committee National Association of Counties (NACo) Cyber-Security Task Force

7 Hashtag #CyberAware in your social media messages.

8 As high-profile cybersecurity incidents reveal the true impact a data breach can have on an organization businesses are recognizing the need for new approaches to information security. In an era of increasing data breaches organizations must actively make cybersecurity a part of their culture and equip every employee with the knowledge and tools to prevent and address data security issues.

9 4537 breaches made public consisting of over 827.4M records breached since Year Number of Breaches Records Average Records / Breach ,821, , ,607, , ,965, , ,659, , ,893, , ,341,662 20, ,133, , ,988,987 41, ,840, , ,876, , ,245,967 1,140, as of September 2015

10 Costs associated with breaches are rising. According to Ponomon Institute and IBM the average total cost of a data breach for the participating companies increased 23% since 2013.

11 Assess risks and assets Update data security plans regularly Implement policies, procedures and best practices for data security Enforce policies Lead by example Extend cybersecurity awareness outside the office Educate and train employees Diversify and repeat Empower employees Assess training and awareness programs

12 Begin with an assessment of cybersecurity risks and assets Know the risks facing the organization Maintain an up-to-date inventory of the organizations information assets

13 Perform assessments on a regularly Stay up-to-date with new or evolving threats and/or address new business functions that may increase existing risks, or create new ones. Preparation Detection and Analysis Containment, Eradication and Recovery Post Incident Activity

14 Policies should address issues such as; Acceptable use Passwords Social media Incident reporting Backup and recovery Software installation and licensing Disaster recovery Based on best practices, industry standards and regulatory guidance. Easily accessible to all employees and should not be so restrictive or onerous that they discourage compliance.

15 Highlight data security as an employees' responsibility Impose consequences for non-compliance to make employees see data security as part their job responsibility.

16 Employees are more likely to take cybersecurity measures seriously when executives and managers confirm the organization's commitment to information security by actively participating in cybersecurity programs, training and other measures.

17 Employees are more likely to pay attention when organizations stress the importance of data protection in their personal family life, as well as in the workplace.

18 Employees are reluctant to follow policies they don t understand. Educate employees on the reasons behind policies. Training should be mandatory and carried out on a regular basis.

19 Convey the importance of cybersecurity by using a variety of resources; Posters Newsletters tips Blogs Reminders Staff meetings

20 Encourage employees to provide suggestions and feedback to invest employees in data protection and help gauge the effectiveness of the organization's data security efforts.

21 Regularly assess security awareness programs and related training to ensure they address all relevant issues, identify knowledge gaps and are achieving the organization's goals. Mock exercises, exams or interviews can verify that employees understand the training materials, while surveys or other resources can help evaluate the program's efficiency or identify areas for improvement.

22

23 Ralph Johnson, CISSP, CISM, HISP, CIPP/US King County Chief Information Security and Privacy Officer (Office) (Mobile)

24 Creating a Culture of Cybersecurity at Work Peter Romness [email protected] Cybersecurity Solutions Lead US Public Sector October Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

25 Think Like an Attacker Sending phishing s to just 10 employees will get hackers inside corporate gates 90 percent of the time Verizon 2015 Data Breach Investigations Report (DBIR) Attackers use phishing techniques because they work and because the lesssophisticated approach drew less scrutiny from defenders Symantec 2015 Internet Security Threat Report 2015 Cisco and/or its affiliates. All rights reserved. 25

26 Technology Doesn t Cover Everything People Process Technology 2013 Cisco and/or its affiliates. All rights reserved. 26

27 Technology Doesn t Cover Everything Example: NIST Framework Only half of the Framework s Categories are addressed by technology Highlights the importance of both people and process in cybersecurity 2013 Cisco and/or its affiliates. All rights reserved. 27

28 Buy-in from the whole team Highlight the benefits to all: Personal protection - privacy and safety At work and at home Organization reputation Preserve the trust of those we serve Save money and jobs Reward positive actions and results Highlight the positive Cisco and/or its affiliates. its affiliates. All rights All rights reserved. reserved. 28

29 Effective Workplace Training Should be: Brief and Engaging Frequent Achievable even easy Persistent Consistent Fun! Cisco and/or its affiliates. its affiliates. All rights All rights reserved. reserved. 29

30 Thank You

31 Creating a Culture of Cybersecurity at Work Benjamin Scribner Department of Homeland Security (DHS) National Cybersecurity Education & Awareness Branch (CE&A) October 2015 National Association of Counties (NACo) NCSAM Webinar

32 Who needs to practice good cybersecurity? Consider cyber when Protecting private information Connecting with care and being web wise Being a good online steward Employees Consider cyber in Acquisitions Policies Risk assessments etc. Business IT Actively Identify Protect Detect Respond Recover 32

33 For Business and Employees participate Join us this NCSAM by educating and empowering your community to take steps to protect themselves and their families online: Promote NCSAM in your organization or community Become a NCSAM Champion Participate in NCSAM 2015 Twitter chats Attend a NCSAM event in your area Use the NCSAM hashtag #CyberAware to promote your organization s involvement in raising cybersecurity awareness Learn more at: dhs.gov/national-cyber-security-awareness-month StaySafeOnline.org/ncsam 33

34 For Business and IT goto NICCS niccs.us-cert.gov Training/Education Catalog Workforce Development toolkit Workforce Framework Questions? contact : [email protected] 34

35 Q&A You may ask a question using the questions box on the right side of the webinar window. 35

36 Contact Information Jerryl Guy, MS, MCSE, CISSP IT Manager, NACo Phone: (202)